# Pattern: Short-Lived SSH Certificates Status: draft Readiness target: RL3 production Primary owners: ops-warden, ops-bridge, NetKingdom ## Problem Long-lived SSH keys make operator and agent access hard to revoke, audit, and scope. ## Context Use this pattern for administrative shell access, tunnel access, automation access, and agent access to infrastructure where SSH remains necessary. ## Forces - Operators need reliable emergency and maintenance access. - Access must be time-boxed, attributable, and least privilege. - Agents need identities separate from their human sponsors. - SSH remains useful but should not bypass platform authorization. ## Solution Issue short-lived SSH certificates from a controlled authority after identity and policy checks. Consumers use certificates through ops-bridge or equivalent access paths that record actor, purpose, target, TTL, and correlation ids. ## Implementation Sketch 1. Authenticate the human, automation, or agent identity. 2. Authorize target, role, command class, and TTL. 3. Have ops-warden issue an SSH certificate with principal and expiry. 4. Route access through ops-bridge where practical for audit capture. 5. Revoke or let certificates expire quickly after use. ## Failure Modes | Failure | Mitigation | | --- | --- | | Static SSH key fallback persists | inventory and remove unmanaged keys | | Certificates have broad principals | bind principals to role and target class | | Agent access borrows human identity | issue explicit agent certificates | | Audit path bypassed | restrict direct network/admin paths | ## Related Capabilities - Privileged access management. - Agent access control. - Incident response and recovery. - Observability, detection, and audit. ## Maturity Draft. Pattern ownership is clear, but implementation details live in the ops repos and need verification fixtures. ## Verification - Certificates expire quickly and cannot be renewed silently. - Certificate principal, target, actor, and reason are logged. - Static key exceptions are inventoried and reviewed. - Agent identities are distinguishable from human identities. ## Research Basis Seeded by privileged access management, time-boxed privilege elevation, human/agent identity split, and break-glass access patterns. ## References - Initial exploration: Authorization and access control. - NetKingdom ownership map: ops-warden and ops-bridge.